In our environment, we have syslog servers that send data to regional Heavy forwarders. The data in HFs eventually gets indexed and is searchable on Search Heads.
The issue now is, we are able to see data(logs) on HFs. But we are not able to see them on Search Heads.
Eg : The last log present on HF for a particular host is on 30th May. But the last log we can see on our Search Head for the same host will be of 27th or 28th May's. We will be able to see 30th logs, somewhere around June 1st or 2nd.
It is obvious there is some latency between HF and Indexer. It is mostly because of the bandwidth issues (confirmed).
But I would like to get a report from Splunk that gives us the time difference between the moment a log got into HF and the moment it got indexed. Is there any SPL for getting this report?
Thanks in advance.
↧